pidgin: 0c5825d5: Fix a read-after-free from valgrind:
qulogic at pidgin.im
qulogic at pidgin.im
Sat May 29 19:31:08 EDT 2010
-----------------------------------------------------------------
Revision: 0c5825d5c8cf7e382a744e266bb4c67753d24db4
Ancestor: defc777c1a4423d29c89b18509b14e037ab40f57
Author: qulogic at pidgin.im
Date: 2010-05-29T22:52:14
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/0c5825d5c8cf7e382a744e266bb4c67753d24db4
Modified files:
libpurple/upnp.c
ChangeLog:
Fix a read-after-free from valgrind:
Invalid read of size 8
at 0x9BD2816: purple_upnp_cancel_port_mapping (upnp.c:931)
by 0x9BAEF41: purple_network_listen_cancel (network.c:585)
by 0x1A49D7FD: msn_dc_destroy (directconn.c:204)
Address 0x19c3c748 is 8 bytes inside a block of size 16 free'd
at 0x4C239BF: free (vg_replace_malloc.c:325)
by 0xBC1EB97: g_slist_delete_link (gslist.c:446)
by 0x9BD2815: purple_upnp_cancel_port_mapping (upnp.c:928)
by 0x9BAEF41: purple_network_listen_cancel (network.c:585)
by 0x1A49D7FD: msn_dc_destroy (directconn.c:204)
-------------- next part --------------
============================================================
--- libpurple/upnp.c 7cebd02e27ff983b2c040c5962ccf6670a8c0919
+++ libpurple/upnp.c 9fc379d322544d76786aa42e6e51e8abd4a10a56
@@ -921,15 +921,18 @@ void purple_upnp_cancel_port_mapping(UPn
/* Remove ar from discovery_callbacks if present; it was inserted after a cb.
* The same cb may be in the list multiple times, so be careful to remove
* the one associated with ar. */
- l = discovery_callbacks;
+ l = discovery_callbacks;
while (l)
{
- if (l->next && (l->next->data == ar)) {
- discovery_callbacks = g_slist_delete_link(discovery_callbacks, l->next);
+ GSList *next = l->next;
+
+ if (next && (next->data == ar)) {
+ discovery_callbacks = g_slist_delete_link(discovery_callbacks, next);
+ next = l->next;
discovery_callbacks = g_slist_delete_link(discovery_callbacks, l);
}
- l = l->next;
+ l = next;
}
if (ar->tima > 0)
More information about the Commits
mailing list